New EDA2-Based Ransomware Easily Neutralized

A new variant of the EDA2 educational ransomware has emerged, only to be quickly neutralized, despite its creator’s confidence that he would never get caught.

This piece of cyber-ransomware encrypts users’ data using AES encryption, after which it appends the .locked extension to them. The malware then drops ransomware notes on the infected computers and informs users that they need to pay .5 bitcoins to get their files back.

The ransomware spread via a link associated to a YouTube video detailing a Far Cry Primal crack, which claimed to be a link to the video game crack. However, the file was laced with ransomware and as soon as it was executed it would encrypt users’ files instead.

Bragging about his ability to infect computers with the ransomware, the developer also said in the ransom note that he would never get caught and that any attempts by users to get help from the community would be futile.

As it turns out, the ransomware infected over 650 computers, though only three victims paid the ransom to date, an analysis of the Bitcoin wallet associated with this campaign revealed. The good news is that all victims can recover their files for free, because the malware developer made some major mistakes.

One was their attempt to shame victims while bragging about their superior skills, while the other was the use of EDA2’s code to build the ransomware. Created by Utku Sen last year and available in open source for several months, this ransomware was designed for educational purposes and included a backdoor in the command-and-control (C&C) server code.

Once the new piece of malware was discovered to have been built based on EDA2, Sen was contacted to use the backdoor to connect to the C&C server. Soon after, he announced that he was able not only to retrieve all the keys from the malware author’s server, but also to convert them into proper decryption keys.

The decryption keys were immediately published online and victims can use them, along with the Hidden Tear Decryptor, to restore their files, as detailed in this forum thread. The ransomware appears to be no longer working, with its C&C server also said to have been shut down.

Soon after news on these security vulnerabilities emerged, the group behind the Magic ransomware began blackmailing the creator of Hidden Tear and EDA2 in an attempt to have both open-source malware variants taken offline. Sen pulled the code for both and also committed to helping users who fell victims of ransomware based on his creations.